Forum Discussion

Brass Contributor

Apr 28, 2020

Azure ATP Group Managed Service Account (gMSA)

Hello, We are switching our service account for ATP to a gMSA. We are following the gMSA guidance in this article: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequ...

Or Tsemah

Iron Contributor

May 05, 2020

bryanb The main requirement for the creation of the gMSA is indeed the PrincipalsAllowedToRetrieveManagedPassword attribute which points to a group that contains the computer accounts with the sensor installed (you can use the Domain Controller group or a dedicated group for that).

bryanb
Brass Contributor
May 07, 2020
Or Tsemah
Thanks for the response. Something else we found during testing.

We have read-only domain controllers so that is a different group that needs to be added to gmsa properties.

We had to grant the gMSA logon rights as service to each domain controller. A standard account did not require this OS right on the ADDS servers.
- Or Tsemah
  Iron Contributor
  May 07, 2020
  Yes, that's why you should consider using dedicated groups
  
  Regarding the log in as a Service permission, you can view possible workaround in here: https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/azure-atp-service-not-starting/m-p/1368747#M1175
  - bryanb
    Brass Contributor
    May 07, 2020
    Or Tsemah Thanks, that is probably the same issue we have with the logon rights.
    
    Dedicated groups work also. The disadvantage for us is remembering to add the computers to that group as part of a ADDS server deployment.